fix(oembed): validate provider data before populating list

Sukhendu2002 · Sukhendu2002 · commit b301211d8016 · 2026-04-22T14:47:20.000+05:30
diff --git a/src/wp-includes/class-wp-oembed.php b/src/wp-includes/class-wp-oembed.php
@@ -23,7 +23,9 @@ class WP_oEmbed {
 	 * A list of oEmbed providers.
 	 *
 	 * @since 2.9.0
-	 * @var array
+	 * @var array<string, array{ 0: string, 1: bool }> An associative array mapping URL patterns to provider data.
+	 *                                                     Each entry's value is an array with the provider endpoint URL
+	 *                                                     string at index 0 and a boolean regex flag at index 1.
 	 */
 	public $providers = array();
 
@@ -222,24 +224,25 @@ public function __construct() {
 		 * @since 2.9.0
 		 *
 		 * @param array<string, array{ 0: string, 1?: bool }> $providers An associative array mapping URL patterns to
-		 *                                                                provider data. Each value must be an array
-		 *                                                                with a provider endpoint URL string at index 0
-		 *                                                                and an optional boolean regex flag at index 1.
+		 *                                                               provider data. Each value must be an array
+		 *                                                               with a provider endpoint URL string at index 0
+		 *                                                               and an optional boolean regex flag at index 1.
 		 */
-		$this->providers = apply_filters( 'oembed_providers', $providers );
-
-		foreach ( $this->providers as $matchmask => $data ) {
+		$providers = apply_filters( 'oembed_providers', $providers );
+		foreach ( $providers as $matchmask => $data ) {
 			if ( ! is_array( $data ) || ! isset( $data[0] ) || ! is_string( $data[0] ) ) {
 				_doing_it_wrong(
-					'oembed_providers',
+					__METHOD__,
 					sprintf(
 						/* translators: %s: The oEmbed provider URL pattern. */
 						__( 'The oEmbed provider data for %s is malformed. Each provider must be an array with a provider endpoint URL string at index 0 and an optional boolean regex flag at index 1.' ),
 						'<code>' . esc_html( (string) $matchmask ) . '</code>'
 					),
 					'7.1.0'
 				);
-				unset( $this->providers[ $matchmask ] );
+			} else {
+				$data[1]                       = (bool) ( $data[1] ?? false );
+				$this->providers[ $matchmask ] = $data;
 			}
 		}
 
diff --git a/tests/phpunit/tests/oembed/wpOembed.php b/tests/phpunit/tests/oembed/wpOembed.php
@@ -282,7 +282,7 @@ public function test_wp_filter_pre_oembed_result_multisite_restores_state_if_no_
 	 *
 	 * @covers WP_oEmbed::__construct
 	 */
-	public function test_malformed_provider_triggers_doing_it_wrong_and_is_removed() {
+	public function test_malformed_provider_triggers_doing_it_wrong() {
 		$filter = static function ( $providers ) {
 			$providers['bad_provider'] = array(
 				'url'      => '#https?://example\.site/.*#i',
@@ -292,7 +292,7 @@ public function test_malformed_provider_triggers_doing_it_wrong_and_is_removed()
 		};
 
 		add_filter( 'oembed_providers', $filter );
-		$this->setExpectedIncorrectUsage( 'oembed_providers' );
+		$this->setExpectedIncorrectUsage( 'WP_oEmbed::__construct' );
 		$oembed = new WP_oEmbed();
 		remove_filter( 'oembed_providers', $filter );
 
